Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
786
Views
3
Helpful
5
Replies

ISE 2.2 AnyConnect scaling with SGT, SXP

Go to solution
Peter Koltl
Level 7
Level 7

‎12-14-2017 02:04 AM

We are planning a two-node VM-3515 ISE 2.2 deployment for ASA and 6500 AnyConnect users with ISE posture and SGFW (SGT tagging and SGT based firewall rules and ISE-ASA SXP). Concurrent session number is about 100..300 so there is no scaling question with that. But the customer is considering Trusted Network Detection (or Always-on) with AnyConnect so I would like to know whether this deployment is capable of handling 6500 concurrent users. 

Are there any changes if we upgrade to 2.3 later?

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Peter Koltl

‎12-14-2017 07:38 AM

I see. if you're needing SXP via PXGrid then no it won't scale. You would need a 3595 in standalone which supports up to 10k SXP bindings and 20k active radius sessions

View solution in original post

5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-14-2017 04:20 AM

Sorry I am unclear of your question

Trusted network detection has nothing to do with ISE or scaling

ISE scaling all depends upon how many active sessions you have going at one time

Can you please clarify?

This is covered under https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/install_guide/b_ise_InstallationGuide23/b_ise_InstallationGuide23_chapter_00.html

Go to solution
Peter Koltl
Level 7
Level 7
In response to Jason Kunst

‎12-14-2017 07:14 AM

TND results in a lot more concurrent sessions (up to 6500 compared to 300) that's why we need to determine correct VM scaling. ISE Performance & Scale document has useful data but I am unsure about how to interpret SXP session number scaling guides and need help to determine if VM-3515 is able to handle 6500 AnyConnect/posture clients and SXP too. (Document says that Max ISE SXP Bindings is 3750)

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Peter Koltl

‎12-14-2017 07:38 AM

I see. if you're needing SXP via PXGrid then no it won't scale. You would need a 3595 in standalone which supports up to 10k SXP bindings and 20k active radius sessions

Go to solution
Peter Koltl
Level 7
Level 7
In response to Jason Kunst

‎12-14-2017 07:54 AM

No intent to use pxGrid, just SXP with ASA for SGT information exchange.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Peter Koltl

‎12-14-2017 08:03 AM

Please look at the numbers here. It indicates you would need a 3595 in standalone to support 6500 clients active at same time

https://communities.cisco.com/docs/DOC-68347#jive_content_id_ISE_SXP_Scaling_per_Deployment

0 Helpful
Customers Also Viewed These Support Documents